Government espionage attacks using Daxin malware linked to China

Chinese hackers target multiple sectors with the advanced backdoor

China-based threat actors release advanced malware in the cyber-espionage campaign

Daxin malware, the China-linked stealthy backdoor, was recently discovered by cybersecurity researchers. The threat apparently is particularly designed to spread on hardened corporate networks. The espionage tool has already been deployed targeting selected governments and critical infrastructure targets.^[1] The long-running espionage campaign was orchestrated by China threat actors in 2013 at least.^[2]

The technical analysis of this malware shows that the threat has some features of advanced malware, including threat detection evading.^[3] Daxin is one of the most advanced backdoors ever seen used by Chinese hackers. The malware is coming in the form of a Windows kernel driver. This is not a typical way. The communication feature ensures the persistence of the malware because it is a mix of data exchange and regular internet traffic.

The backdoor malware is created and calibrated for use against hardened targets. It allows threat actors to burrow deep into the network and obtain data without triggering any detections and raising suspicions. The info-stealer aimed at entities in the telecom, transportation, manufacturing sectors. These industries are the strategic targets of China.

Backdoor provides remote access to a compromised network

Daxin malware is considered a highly sophisticated threat that has complex command-and-control functionality that enables remote actors to connect with secured devices that are not directly connected to the internet.^[4] The threat implements an elaborate mechanism for communications and ensures persistence. Then malware can connect to the machines that are physically disconnected from the web.

Such trojans with backdoor capabilities are created to open access for threat actors. This way, criminals can steal data, execute commands, download or install additional malware on the compromised network. There is a need for such threats to involve data transfer encryption or obfuscation, so it is possible to avoid raising any alarms on the network traffic monitoring systems.

Daxin manages to do so by monitoring the traffic of the system on a device for particular patterns. If such patterns get detected, a legitimate TCP connection is hijacked and used to communicate to the command-and-control servers. This way malware also can hide malicious communication as legitimate traffic and remain undetected.

One of the most advanced threats from China cyber-espionage groups

The Daxin backdoor is linked to the Chinese state-backed hacking group known as Owlproxy or Slug.^[5] The particular piece of malware is actively attacking since November 2019, but the signs of more significant attacks involving the deployment of the threat got noticed in May and July of 2020.

The most recent attacks involving the distribution of Daxin were noticed in November 2021 and were targeting telecommunications, transportation, manufacturing companies. It is thought that a similar backdoor was first developed in 2013, these advanced detection-avoidance techniques and other functions got introduced later on.

The particular Daxin backdoor malware observations started later. It is believed that threat actors managed to evade detection and used the threat in their cyber espionage attacks long before these detections in 2019. However, it is dubbed the most advanced malware that China-based actors have ever used in the wild, according to multiple researchers.